The present invention relates to a network system, a network relay method, and a network relay device, and more particularly to a network system, a network relay method, and a network relay device, which conduct a packet discard control for invalidating a distributed denial of service (DDoS) attack.
In recent years, with the spread of an e-commerce or mission-critical communication, a significance of security securement on the Internet is increased. In particular, the appearance of a fatal denial of service attack (DoS attack) and a distributed DoS attack (DDoS attack), which is an evolutionary line of the DoS attack, gives cause for great concern for the reliability of the Internet.
The DDoS attack transmits packets which are apparently normal but actually useless to a server device that provides a user with a variety of services, to thereby excessively consume a limited system resource within the device, and deteriorate or decay the device or system to be attacked. For that reason, a normal client service given by a server to be attacked is remarkably denied. Typically, it is assumed that a resource such as a network bandwidth, a CPU cycle of a target host, or a specific TCP/IP protocol stack structure of a fragmentation buffer or a TCP SYN buffer is consumed by the DoS attack or the DDoS attack. Further, because an easily available attack script is flooded on the Internet, a technical hurdle for carrying out the DDoS attack is lowered.
In general, there has well been known that the DDoS attack is relatively simple to carry out, but difficult to defend against.
The basic reasons will be described, for example, below:
(1) IP spooling (That is, an attack packet has a source IP address normally falsified. As a result, an identity of an attack source is effectively concealed to block the effort such as detection, defense, or tracking):
(2) The distribution of DDoS attack (That is, an enormous number of sources generates attach traffics at the same time to increasingly reinforce the attack, and there arises a problem with scalability for dealing with the attack. As a result, the countermeasure is excessively strained: and(3) There is no mechanism for allowing a victim to easily distinguish a normal packet and a fatal attack traffic from each other.
From the above viewpoints, an important target in a technical field of the network is to improve the connectibility of the network or the server with defense against the DDoS attack.
Japanese Unexamined Patent Application Publication (Translation of PCT Application) No. 2009-529254 discloses an example of a technique invented for the purpose of solving the above problems.